swift kilo版代码更新
今天重新搭建swift服务器,git下代码后一时好奇,进入kilo/stable branch后,与四个月前下载的swift/kilo版本做了个比较。使用diff命令完成。发现代码还是略有区别。
diff -r -u -N --new-file swift/swift/common/bufferedhttp.py swift-kilo/swift/common/bufferedhttp.py
--- swift/swift/common/bufferedhttp.py 2015-09-18 15:30:03.730723515 +0800
+++ swift-kilo/swift/common/bufferedhttp.py 2015-09-18 16:43:36.283386102 +0800
@@ -27,19 +27,14 @@
"""
from swift import gettext_ as _
-from swift.common import constraints
from urllib import quote
import logging
import time
import socket
-import eventlet
from eventlet.green.httplib import CONTINUE, HTTPConnection, HTTPMessage, \
HTTPResponse, HTTPSConnection, _UNKNOWN
-httplib = eventlet.import_patched('httplib')
-httplib._MAXHEADERS = constraints.MAX_HEADER_COUNT
-
class BufferedHTTPResponse(HTTPResponse):
"""HTTPResponse class that buffers reading of headers"""
diff -r -u -N --new-file swift/swift/common/constraints.py swift-kilo/swift/common/constraints.py
--- swift/swift/common/constraints.py 2015-09-18 15:30:03.730723515 +0800
+++ swift-kilo/swift/common/constraints.py 2015-09-18 16:43:36.259385971 +0800
@@ -36,7 +36,6 @@
MAX_ACCOUNT_NAME_LENGTH = 256
MAX_CONTAINER_NAME_LENGTH = 256
VALID_API_VERSIONS = ["v1", "v1.0"]
-EXTRA_HEADER_COUNT = 0
# If adding an entry to DEFAULT_CONSTRAINTS, note that
# these constraints are automatically published by the
@@ -55,7 +54,6 @@
'max_account_name_length': MAX_ACCOUNT_NAME_LENGTH,
'max_container_name_length': MAX_CONTAINER_NAME_LENGTH,
'valid_api_versions': VALID_API_VERSIONS,
- 'extra_header_count': EXTRA_HEADER_COUNT,
}
SWIFT_CONSTRAINTS_LOADED = False
@@ -107,13 +105,6 @@
'xml': 'application/xml'}
-# By default the maximum number of allowed headers depends on the number of max
-# allowed metadata settings plus a default value of 32 for regular http
-# headers. If for some reason this is not enough (custom middleware for
-# example) it can be increased with the extra_header_count constraint.
-MAX_HEADER_COUNT = MAX_META_COUNT + 32 + max(EXTRA_HEADER_COUNT, 0)
-
-
def check_metadata(req, target_type):
"""
Check metadata sent in the request headers. This should only check
diff -r -u -N --new-file swift/swift/common/middleware/tempurl.py swift-kilo/swift/common/middleware/tempurl.py
--- swift/swift/common/middleware/tempurl.py 2015-09-18 15:30:03.738723545 +0800
+++ swift-kilo/swift/common/middleware/tempurl.py 2015-09-18 16:43:36.243385885 +0800
@@ -122,13 +122,11 @@
from urlparse import parse_qs
from swift.proxy.controllers.base import get_account_info, get_container_info
-from swift.common.swob import HeaderKeyDict, HTTPUnauthorized, HTTPBadRequest
+from swift.common.swob import HeaderKeyDict, HTTPUnauthorized
from swift.common.utils import split_path, get_valid_utf8_str, \
register_swift_info, get_hmac, streq_const_time, quote
-DISALLOWED_INCOMING_HEADERS = 'x-object-manifest'
-
#: Default headers to remove from incoming requests. Simply a whitespace
#: delimited list of header names and names can optionally end with '*' to
#: indicate a prefix match. DEFAULT_INCOMING_ALLOW_HEADERS is a list of
@@ -152,10 +150,6 @@
DEFAULT_OUTGOING_ALLOW_HEADERS = 'x-object-meta-public-*'
-CONTAINER_SCOPE = 'container'
-ACCOUNT_SCOPE = 'account'
-
-
def get_tempurl_keys_from_metadata(meta):
"""
Extracts the tempurl keys from metadata.
@@ -176,38 +170,6 @@
quote(filename, safe=' /'), quote(filename))
-def authorize_same_account(account_to_match):
-
- def auth_callback_same_account(req):
- try:
- _ver, acc, _rest = req.split_path(2, 3, True)
- except ValueError:
- return HTTPUnauthorized(request=req)
-
- if acc == account_to_match:
- return None
- else:
- return HTTPUnauthorized(request=req)
-
- return auth_callback_same_account
-
-
-def authorize_same_container(account_to_match, container_to_match):
-
- def auth_callback_same_container(req):
- try:
- _ver, acc, con, _rest = req.split_path(3, 4, True)
- except ValueError:
- return HTTPUnauthorized(request=req)
-
- if acc == account_to_match and con == container_to_match:
- return None
- else:
- return HTTPUnauthorized(request=req)
-
- return auth_callback_same_container
-
-
class TempURL(object):
"""
WSGI Middleware to grant temporary URLs specific access to Swift
@@ -268,10 +230,6 @@
#: The methods allowed with Temp URLs.
self.methods = methods
- self.disallowed_headers = set(
- 'HTTP_' + h.upper().replace('-', '_')
- for h in DISALLOWED_INCOMING_HEADERS.split())
-
headers = DEFAULT_INCOMING_REMOVE_HEADERS
if 'incoming_remove_headers' in conf:
headers = conf['incoming_remove_headers']
@@ -340,10 +298,10 @@
return self.app(env, start_response)
if not temp_url_sig or not temp_url_expires:
return self._invalid(env, start_response)
- account, container = self._get_account_and_container(env)
+ account = self._get_account(env)
if not account:
return self._invalid(env, start_response)
- keys = self._get_keys(env)
+ keys = self._get_keys(env, account)
if not keys:
return self._invalid(env, start_response)
if env['REQUEST_METHOD'] == 'HEAD':
@@ -358,32 +316,15 @@
else:
hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
- is_valid_hmac = False
- hmac_scope = None
- for hmac, scope in hmac_vals:
- # While it's true that we short-circuit, this doesn't affect the
- # timing-attack resistance since the only way this will
- # short-circuit is when a valid signature is passed in.
- if streq_const_time(temp_url_sig, hmac):
- is_valid_hmac = True
- hmac_scope = scope
- break
+ # While it's true that any() will short-circuit, this doesn't affect
+ # the timing-attack resistance since the only way this will
+ # short-circuit is when a valid signature is passed in.
+ is_valid_hmac = any(streq_const_time(temp_url_sig, hmac)
+ for hmac in hmac_vals)
if not is_valid_hmac:
return self._invalid(env, start_response)
- # disallowed headers prevent accidently allowing upload of a pointer
- # to data that the PUT tempurl would not otherwise allow access for.
- # It should be safe to provide a GET tempurl for data that an
- # untrusted client just uploaded with a PUT tempurl.
- resp = self._clean_disallowed_headers(env, start_response)
- if resp:
- return resp
self._clean_incoming_headers(env)
-
- if hmac_scope == ACCOUNT_SCOPE:
- env['swift.authorize'] = authorize_same_account(account)
- else:
- env['swift.authorize'] = authorize_same_container(account,
- container)
+ env['swift.authorize'] = lambda req: None
env['swift.authorize_override'] = True
env['REMOTE_USER'] = '.wsgi.tempurl'
qs = {'temp_url_sig': temp_url_sig,
@@ -424,23 +365,22 @@
return self.app(env, _start_response)
- def _get_account_and_container(self, env):
+ def _get_account(self, env):
"""
- Returns just the account and container for the request, if it's an
- object request and one of the configured methods; otherwise, None is
+ Returns just the account for the request, if it's an object
+ request and one of the configured methods; otherwise, None is
returned.
:param env: The WSGI environment for the request.
- :returns: (Account str, container str) or (None, None).
+ :returns: Account str or None.
"""
if env['REQUEST_METHOD'] in self.methods:
try:
ver, acc, cont, obj = split_path(env['PATH_INFO'], 4, 4, True)
except ValueError:
- return (None, None)
+ return None
if ver == 'v1' and obj.strip('/'):
- return (acc, cont)
- return (None, None)
+ return acc
def _get_temp_url_info(self, env):
"""
@@ -470,23 +410,18 @@
inline = True
return temp_url_sig, temp_url_expires, filename, inline
- def _get_keys(self, env):
+ def _get_keys(self, env, account):
"""
Returns the X-[Account|Container]-Meta-Temp-URL-Key[-2] header values
- for the account or container, or an empty list if none are set. Each
- value comes as a 2-tuple (key, scope), where scope is either
- CONTAINER_SCOPE or ACCOUNT_SCOPE.
+ for the account or container, or an empty list if none are set.
Returns 0-4 elements depending on how many keys are set in the
account's or container's metadata.
:param env: The WSGI environment for the request.
- :returns: [
- (X-Account-Meta-Temp-URL-Key str value, ACCOUNT_SCOPE) if set,
- (X-Account-Meta-Temp-URL-Key-2 str value, ACCOUNT_SCOPE if set,
- (X-Container-Meta-Temp-URL-Key str value, CONTAINER_SCOPE) if set,
- (X-Container-Meta-Temp-URL-Key-2 str value, CONTAINER_SCOPE if set,
- ]
+ :param account: Account str.
+ :returns: [X-Account-Meta-Temp-URL-Key str value if set,
+ X-Account-Meta-Temp-URL-Key-2 str value if set]
"""
account_info = get_account_info(env, self.app, swift_source='TU')
account_keys = get_tempurl_keys_from_metadata(account_info['meta'])
@@ -495,28 +430,25 @@
container_keys = get_tempurl_keys_from_metadata(
container_info.get('meta', []))
- return ([(ak, ACCOUNT_SCOPE) for ak in account_keys] +
- [(ck, CONTAINER_SCOPE) for ck in container_keys])
+ return account_keys + container_keys
- def _get_hmacs(self, env, expires, scoped_keys, request_method=None):
+ def _get_hmacs(self, env, expires, keys, request_method=None):
"""
:param env: The WSGI environment for the request.
:param expires: Unix timestamp as an int for when the URL
expires.
- :param scoped_keys: (key, scope) tuples like _get_keys() returns
+ :param keys: Key strings, from the X-Account-Meta-Temp-URL-Key[-2] of
+ the account.
:param request_method: Optional override of the request in
the WSGI env. For example, if a HEAD
does not match, you may wish to
override with GET to still allow the
HEAD.
-
- :returns: a list of (hmac, scope) 2-tuples
"""
if not request_method:
request_method = env['REQUEST_METHOD']
- return [
- (get_hmac(request_method, env['PATH_INFO'], expires, key), scope)
- for (key, scope) in scoped_keys]
+ return [get_hmac(
+ request_method, env['PATH_INFO'], expires, key) for key in keys]
def _invalid(self, env, start_response):
"""
@@ -533,22 +465,6 @@
body = '401 Unauthorized: Temp URL invalid\n'
return HTTPUnauthorized(body=body)(env, start_response)
- def _clean_disallowed_headers(self, env, start_response):
- """
- Validate the absense of disallowed headers for "unsafe" operations.
-
- :returns: None for safe operations or swob.HTTPBadResponse if the
- request includes disallowed headers.
- """
- if env['REQUEST_METHOD'] in ('GET', 'HEAD', 'OPTIONS'):
- return
- for h in env:
- if h in self.disallowed_headers:
- return HTTPBadRequest(
- body='The header %r is not allowed in this tempurl' %
- h[len('HTTP_'):].title().replace('_', '-'))(
- env, start_response)
-
def _clean_incoming_headers(self, env):
"""
Removes any headers from the WSGI environment as per the
diff -r -u -N --new-file swift/swift/proxy/server.py swift-kilo/swift/proxy/server.py
--- swift/swift/proxy/server.py 2015-09-18 15:30:03.754723606 +0800
+++ swift-kilo/swift/proxy/server.py 2015-09-18 16:43:36.111385171 +0800
@@ -378,7 +378,6 @@
allowed_methods = getattr(controller, 'allowed_methods', set())
return HTTPMethodNotAllowed(
request=req, headers={'Allow': ', '.join(allowed_methods)})
- old_authorize = None
if 'swift.authorize' in req.environ:
# We call authorize before the handler, always. If authorized,
# we remove the swift.authorize hook so isn't ever called
@@ -389,7 +388,7 @@
if not resp and not req.headers.get('X-Copy-From-Account') \
and not req.headers.get('Destination-Account'):
# No resp means authorized, no delayed recheck required.
- old_authorize = req.environ['swift.authorize']
+ del req.environ['swift.authorize']
else:
# Response indicates denial, but we might delay the denial
# and recheck later. If not delayed, return the error now.
@@ -399,13 +398,7 @@
# gets mutated during handling. This way logging can display the
# method the client actually sent.
req.environ['swift.orig_req_method'] = req.method
- try:
- if old_authorize:
- req.environ.pop('swift.authorize', None)
- return handler(req)
- finally:
- if old_authorize:
- req.environ['swift.authorize'] = old_authorize
+ return handler(req)
except HTTPException as error_response:
return error_response
except (Exception, Timeout):
其中,swift目录为最新版本的swift kilo/stable中源码;swift-kilo目录为四个月前下载的源码。
从上面的比较中,可以看出两个时段的代码略有区别,差异在百来行左右,主要集中于tempurl中间件代码中。这部分,与我动手修改的部分关系不大。唯一稍稍有关的代码更新,可能就是proxy server中代码更新。但仔细研究后发现,就是对旧的认证入口函数做了一个保存,在返回产生异常时,利用旧认证函数对env中认证函数进行赋值。相当于对代码逻辑的小小完善,对整体大流程不会有影响。
我想,我可以放心在最新kilo分支代码上进行修改,并利用它搭建系统,进行压力测试。
swift kilo版代码更新的更多相关文章
- Unity手游之路<十三>手游代码更新策略探讨
http://blog.csdn.net/janeky/article/details/25923151 这几个月公司项目非常忙,加上家里事情也多,所以blog更新一直搁置了.最近在项目开发上线过程中 ...
- openstack【Kilo】汇总:包括20英文文档、各个组件新增功能及Kilo版部署
OpenStack Kilo版本发布 20英文文档OpenStack Kilo版本文档汇总:各个操作系统安装部署.配置文档.用户指南等文档 Kilo版部署 openstack[Kilo]入门 [准备篇 ...
- Unity手游之路手游代码更新策略探讨
版权声明: https://blog.csdn.net/janeky/article/details/25923151 这几个月公司项目非常忙.加上家里事情也多,所以blog更新一直搁置了. 近期在项 ...
- OpenStack Kilo版加CEPH部署手册
OpenStack Kilo版加CEPH部署手册 作者: yz联系方式: QQ: 949587200日期: 2015-7-13版本: Kilo 转载地址: http://mp.weixin.qq.co ...
- Win10桌面预览版14316更新内容大全
下载更新: 安装之后右下角: Win10桌面预览版14316更新内容: Windows上运行乌班图Bash:通过设置开启开发者模式,更新和安全>面向开发人员.然后搜索"Wi ...
- 理解JavaScript设计模式与开发应用中发布-订阅模式的最终版代码
最近拜读了曾探所著的<JavaScript设计模式与开发应用>一书,在读到发布-订阅模式一章时,作者不仅给出了基本模式的通用版本的发布-订阅模式的代码,最后还做出了扩展,给该模式增加了离线 ...
- WebGIS中以version方式实现代码更新后前端自动读取更新代码的方法
文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1. 前言 GIS代码进行更新后,由于用户前端已有缓存,导致更新的功能不 ...
- 【剑指offer】Java版代码(完整版)
原文地址:https://blog.csdn.net/baiye_xing/article/details/78428561 一.引言 <剑指offer>可谓是程序猿面试的神书了,在面试中 ...
- git如何merge github forked repository里的代码更新?(转)
参考内容:git如何merge github forked repository里的代码更新? [refer to ]http://www.haojii.com/2011/08/how-to-git- ...
随机推荐
- bzoj 1782: [Usaco2010 Feb]slowdown 慢慢游【dfs序+线段树】
考虑每头牛到达之后的影响,u到达之后,从1到其子树内的点需要放慢的都多了一个,p为u子树内点的牛ans会加1 用线段树维护dfs序,每次修改子树区间,答案直接单点查询p即可 #include<i ...
- bzoj4987: Tree(树形dp)
Description 从前有棵树. 找出K个点A1,A2,…,Ak. 使得∑dis(AiAi+1),(1<=i<=K-1)最小. Input 第一行两个正整数n,k,表示数的顶点数和 ...
- 使用 typescript 和 canvas 重构snow效果
前言:之前做过一个 snow 效果,但是是直接用 HTML 做的点击此处查看 ,几个星期前,我用 typescript 和 canvas 重构了一下, snow效果是一个很简单的效果,但是用来练手还是 ...
- zabbix详细介绍及其自动动态发现
zabbix3.2.1 第1章 安装 1.1 查看系统环境 [root@centos7-2 ~]# [root@centos7-2 ~]# hostname -I 10.0.0.10 172.16.1 ...
- cloudera-server启动File not found : /usr/sbin/cmf-server解决办法(图文详解)
解决方法 见 cloudera-agent启动File not found : /usr/sbin/cmf-agent解决办法(图文详解) 欢迎大家,加入我的微信公众号:大数据躺过的坑 ...
- 漫谈未来的HDFS
前面我们提到的HDFS,了解了HDFS的特性和架构.HDFS能够存储TB甚至PB规模的数据是有前提的,首先数据要以大文件为主,其次NameNode的内存要足够大.对HDFS有所了解的同学肯定都知道,N ...
- 下载github项目
两种方法:通过https或者ssh地址 找一个放置项目的文件夹,右键git bash here 输入 $ git clone https://项目地址 通过https 项目地址可以直接复制网页地址,或 ...
- Xilinx FPGA编程技巧之常用时序约束详解
1. 基本的约束方法 为了保证成功的设计,所有路径的时序要求必须能够让执行工具获取.最普遍的三种路径为: 输入路径(Input Path),使用输入约束 寄存器到寄存器路径(Register-to ...
- Learning Face Age Progression: A Pyramid Architecture of GANs
前言 作为IP模式识别的CNN初始模型是作为单纯判别式-模式识别存在的,并以此为基本模型扩展到各个方向.基本功能为图像判别模型,此后基于Loc+CNN的检测模型-分离式.end2end.以及MaskC ...
- Modbus测试工具ModbusPoll与Modbus Slave使用方法
感谢https://blog.csdn.net/byxdaz/article/details/77979114原创,由于CSDN经常调整,故再编辑收藏,并修改了部分BUG. 一.介绍 Modbus P ...